Qualys SSL Labs has some great tools to check your server’s SSL/TLS installation to make sure they don’t fall victim to common vulnerabilities or exploits that seem to be discovered every month. If you’re running an Apache2 installation, securing your server against most SSL/TLS vulnerabilities is as easy as enabling the headers Apache module, and then a few lines to your SSL configuration.
First, enable the headers module so Apache2 can modify headers sent to the client:
pengc99@alpha:~$ sudo a2enmod headers Enabling module headers. To activate the new configuration, you need to run: service apache2 restart pengc99@alpha:~$
Then add the following lines to your SSL configuration:
# Make the server secure SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:AES128-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!DH
Restart your server:
pengc99@alpha:~$ sudo /etc/init.d/apache2 restart Restarting web server: apache2 ... waiting . pengc99@alpha:~$
That’s it! Now go run the test at https://www.ssllabs.com/ssltest/ and marvel at your server’s newfound security!
